Labels and taints

Workload placement controls and examples.

Labelling nodes

The hybrid cluster comprises of a virtual master node and bare-metal worker node with a single load balancer.

kubectl get nodes

NAME       STATUS   ROLES           AGE   VERSION
dev-m-v1   Ready    control-plane   13m   v1.32.9
dev-w-p1   Ready    <none>          12m   v1.32.9

Lets label the worker node:

kubectl label node dev-w-p1 kubernetes.io/role=worker

node/dev-w-p1 labeled

NAME       STATUS   ROLES           AGE   VERSION
dev-m-v1   Ready    control-plane   25m   v1.32.9
dev-w-p1   Ready    worker          25m   v1.32.9

Control plane nodes (masters) have a taint by default to ensure that normal workloads (apps, deployments, etc.) don’t end up on them.

To confirm the control-plane node (dev-m-v1) already has the default taint run this command:

kubectl describe node dev-m-v1 | grep -A3 Taints

Taints: node-role.kubernetes.io/control-plane:NoSchedule

This taint prevents regular workloads (pods without matching tolerations) from being scheduled on the control-plane
Only system components — like kube-apiserver, etcd, coredns, or network plugins such as Calico — can run there, since they include explicit tolerations for this taint

If, for some reason the taint was removed, it can be reapplied by this command:

kubectl taint nodes dev-m-v1 node-role.kubernetes.io/master=:NoSchedule

kubectl taint nodes — applies or removes taints on one or more nodes.
dev-m-v1 — the name of the node being tainted.
node-role.kubernetes.io/master — the key of the taint (a label-like identifier).
= — since no value is provided, it’s set as an empty string.
NoSchedule — the effect of the taint: → means “do not schedule any new pods that don’t tolerate this taint.”

To remove it (if you want to schedule pods on the master) run this command:

kubectl taint nodes dev-m-v1 node-role.kubernetes.io/master:NoSchedule-

That trailing dash (-) removes the taint.